You can change the primary key of a key provider, for example, when you want to rotate the primary key that is used.
Prerequisites
Create and activate a key on the key server (KMS) to be used as the new primary key for the trusted key provider. This key wraps other keys and secrets used by this trusted key provider. See your KMS vendor documentation for more information about creating keys.
Procedure
- Run the Set-TrustAuthorityKeyProvider command.
For example:
Set-TrustAuthorityKeyProvider -MasterKeyId Key-ID
- Verify the status of the key provider.
- Assign Get-TrustAuthorityCluster information to a variable.
For example:
$vTA = Get-TrustAuthorityCluster 'vTA Cluster'
- Assign the Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA information to a variable.
For example:
$kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA
- Verify the status of the key provider by running $kp.Status.
For example:
$kp.Status
KeyProviderId Health HealthDetails ServerStatus
------------- ------ ------------- ------------
domain-c8-kp4 Ok {} {IP_address}
A Health status of Ok indicates that the key provider is running correctly.
Results
The new primary key is used for any new encryption operations. Data encrypted with the old primary key is still decrypted using the old key.